first let me give a big THANK YOU to everybody working on letsencypt and certbot. This is fantastic possibility to have a stable working ssl-environment!
So do I. My environment is small: It is a RasPi4 with Debian Bookworm, all from the stable repo, running Apache2 (2.4.59) and additional lamp-stuff. I once installed certbot by using Python pip and have a perfect running system with certbot 2.6.0, serving a handfull domains with wildcard certificates, one of it is cation.de .
My certificates are telling to be singed with the mentioned R3-Cert, vaild until Spetember, 25th, so I seem to be affected.
As I was reading "Die empfohlene Let’s Encrypt Client-Software, Certbot, macht diese Konfiguration nahtlos." I am encouraged to leave the whole environment as it is or - reading the english version - I think about upgrading certbot to the latest version that seems to be 2.11.0.
Before touching, I want to ask for knowledge and experience:
What would be the best way to do? Just let it as is? Upgrading certbot? Switching the chain?
You should not have to do anything. Although, keeping Certbot current is always good practice.
When you request a cert you get a "leaf" cert and its related intermediate chain returned to you. You likely already use the "fullchain.pem" file in your Apache config. This includes your "leaf" cert and its intermediate certs.
Your next renewal will have a different intermediate cert in "fullchain.pem" (and also in "chain.pem" which you probably don't use or need).
No action is required on your part. Apache will use the file to output the current cert and chain.
See this related announcement
Especially this:
Most Let’s Encrypt Subscribers will not need to take any action in response to this change because ACME clients, like certbot , will automatically configure the new intermediates when certificates are renewed. The Subscribers who will be affected are those who currently pins intermediate certificates.